reMIX is back this year bigger and faster than ever. I know this is old news but I'm running a little behind at the moment.
Check out the website and Register now for a bargain price of $199 (Inc GST) - we are doing 1 day in 2 cities:
Sydney
May 20
Powerhouse Museum
Harris Street, Ultimo
Melbourne
May 22
Melbourne Town Hall
Cnr Swanston & Collins
Street, Melbourne
Shanemo and delicategenius are the content head honchos and have done an awesome job of pulling together great speakers and content - checkout the session list.
I've managed to land a speaking gig right before drinks!;
"Bringing Hosters and Developers together with IIS7"* - Come learn about all the great new features in Microsoft Internet Information Services 7 for hosters and web farm managers including creating a highly customizable environment for building scalable and reliable media applications.*
* subject to change!
Many exciting things happening leading up to this, check out your chance to win free tickets, a zune or a silverlight skateboard.
- jorke
via Christian
This years Hosting Days is "Fast Tracking Your Success with FastLane" in a city somewhere close to you, unless you are in Darwin or Alice Springs or Cameron's Corner....
Phil and I have the first track, which is the fun track all about the HOW of hosting.
Go to https://partner.microsoft.com/australia/40048707 to see the agenda and register
see you there!
- jorke
For the past few days a "Cyber attack" has been taking place and according to internetnews.com :
"number of infected IIS servers at 282,000. Less than a day later, security firm F-Secure wrote its own blog entry, putting the infestation at over 500,000"
and f-secure :
"Performing a Google search results in over 510,000 modified pages."
Without pointing out the reporting inconsistencies between servers and pages .... what is actually happening here..
First of all its not at all related to the security advisory that was released last week. Nor is it in fact related to any other security issue with IIS, ASP, ASP.NET or Windows. It's really important to understand that, its all to do with dodgy and insecure development practices.
Well very simply put its an age old SQL injection attack on a web site that modifies the return code adding a hidden link to a site that downloads malware to client viewing the web page. Nothing new technology wise here, just a new method of delivery - which really should not affect those who have kept their machines up-to-date.
In this case the attackers have chosen to target ASP/ASPX based web sites that have poorly written validation methods and deliver their code via a database content management system. The result being that pages on the site will return a hidden script tag that directs to one of the sites listed in the earlier articles - which picks on particular vulnerabilities available on the client machine, not just those related to software developed by Microsoft either.
Well that's all very nice you say - but "How do I protect myself against these kind of attacks?".
The way I see it, there are three areas of responsibility where lies the ability to protect the world against those few malicious people.
1. The Developer - FIX YOUR BROKEN CODE! Seriously - check your code for possible attack vectors and test, test test. I've seen heaps of web sites and web servers compromised due to poorly written or no validation checking. Incorrect security settings deploying to high risk environments. Don't always assume you know who is going to access your app. Don't assume that app will exist with everything local to it. Catch those errors - I could go on. There is heaps of guidance around this - here is a few to start you off:
2.The Client - Keep your machine up-to-date - as Coatsy says "go to update.microsoft.com and Download the golden padlock of goodness" from Microsoft Update.
3. The System Admin / Hoster / Guy who has to run the web server - Hey I sympathise with you most (of course I would!) You have to get a site with poorly written code up and running, and now what? you have to check the thing isn't going to compromise your server? but of course the code supplied doesn't work in your standard low security settings to you need to bend the rules to allow that code to work.. Be Strong!
But you may have been too late, and you have to clean this mess up on your server - how are you going to prevent this malicious code being delivered to and from your server, while keeping everything up and running?
Stop the attack coming in
If you are using IIS7 or URLScan on IIS6.0/5.1 you can filter the request to prevent the incoming attacks. In IIS7 This is what the configuration string looks like in your server wide applicationhost.config file (based on the info in articles):
<requestFiltering>
<denyUrlSequences>
<add sequence="DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x440045004300" />
</denyUrlSequences>
</requestFiltering>
Stop it going out
This is a little trickier, but due to the awesome modularity of IIS7 (only going to look at this) you can very easily write a module that can look in all the requests scan for the URL sequence in the response and send it to null. More information on doing this is at the IIS.NET website. Hey, if I get enough comments I'll write one and post it up here!
Done and Dusted
What we all need to remember about these kind of attacks is that vulnerability in the web sites being targeted are not limited to just a particular operating system platform. SQL Injection attacks is rampant in many platform agnostic applications and its such a simple thing to prevent.
As you have probably guessed I'm pretty passionate about this subject, and when I see such misguided reports and irrational reactions to incorrect or misunderstood information, it inspires me to ensure that the truth of the issue is available. Speaking personally; In my short time at Microsoft, I have never seen such commitment behind ensuring that the Windows Operating System is the most versatile and secure operating system on earth.
- jorke
Note: Graphics "borrowed" from Microsoft Japan Security Bulletins
Important heads up with regards to a potential privilege escalation issue when running under NetworkService – which we all know is the IIS default.... But also note that it requires native code or full trust .NET.
Hosting Providers with Shared Hosting configurations should pay careful attention to this and ensure that they are running a customised version of medium trust at the very least - http://msdn2.microsoft.com/en-us/library/ms998341.aspx. Also be wary of any custom ISAPI extensions - i.e do a code review.
High level summary:
Processes running under Network Service identity can elevate to Local System on XP, Win2k3, Vista and Win2k8. Additionally, on Win2k3 any process running with an identity that has SeImpersonatePrivilege can elevate to Local System, and this privilege is required by IIS worker process identity. The Elevation of Privilege requires running native user code or full-trust managed code.
Our guidance is of course to move your app move WPI away from NetworkService to a windows account. Additionally on Win2k3, our guidance includes disabling Distributed Transaction Coordinator service (to close the hole where any identity with SeImpersonatePrivilege can elevate).
More information here: http://www.microsoft.com/technet/security/advisory/951306.mspx
Let me know if you have any further questions or require advice.
- jorke
UPDATE (6:23pm 18/4/08):
Check out Ken Schaefer's Blog for the origin of this potential issue.
One of our local developers Dallas J Clark (Brisbane local) blogged about an article that shows PHP with a 130% performance increase on Windows Server 2008 - and of course there have been a few comments asking about the metrics of the comparison etc. So naturally I'm wading into to try and clear the water..
I have to agree that there are a lot of unknowns and its difficult to do a competitive comparison with such little comparative data. What needs to be understood as that the results are for a specific case that the customer experienced, see the case study right here.
The facts are that Microsoft has spent a lot of time working with Zend to ensure that PHP has been engineered to run well on Windows.
The key difference to understand here is that you need to understand the execution architecture differences between *nix vs Windows, respectively multi-process vs multi-threaded. As CGI is designed for multi-process execution this can give pretty ordinary performance on Windows due to the threads/cycles involved in spinning up processes every time a request is processed by the web server. Of course you could attempt multi-threading using the ISAPI filter but ask what the results were from anyone who has tried :) – especially when you are not using code you have written all yourself – thus the best way to ensure reliable performance on Windows is to run via CGI – which of course the performance is not optimal.
Now how has this changed; IIS 7 has a FastCGI module as part of its install which by its design will make anything CGI based run faster, the idea being that it allows you to process multiple requests in the one connection and once the script has been processed the FastCGI process will keep running, waiting for more requests until its spun down as part of the web server. So in this case using PHP, it eliminates the constant overhead of loading PHP into memory each time a request needs to be processed or course increasing the speed of the request.
Also there are the “NTS” non thread safe windows binaries of PHP that are available off the php.net site - These binaries allow you to execute your code without needing to wait for thread synchronisation, meaning a HUGE performance increase. Couple this with FastCGI then you are you going to experiencing PHP running at a speed never before possible.
To test this I ran a little test, for metrics sake this is Windows Server 2008 Enterprise running in Virtual PC 2007 - allocated 512MB of RAM. The host machine is a HP Compaq Laptop
nc8430 Core 2 Duo @ 2.16Ghz and 4GB RAM, with a 7200 rpm disk, running Vista of course. My methodology was to grab a simple PHP site, run PHP with the standard CGI Module run a performance test, then change handler mapping to run the FastCGI Module and run the same performance test. The site I tested was on Qdig and performance tests were using the Web Capacity Analysis Tool (WCAT). The metric measured was Get Requests / second, because this is an indication of how long the requests are taking before they need to be queued by the web server.
On the left - NTS PHP with CGIModule - maximum approx 30 rps
On the right - NTS PHP with FastCGIModule - maximum approx 870 rps
Of course your mileage will vary, but you will have a comparable or better experience than on other platforms.
Questions?
-jorke
Attended a great presentation at MIX by Tito Leverette Web Platform Architect Evangelist aka Hosting Guy from Atlanta and Rob Cameron Developer Evangelist aka Dev Guy:
Bring Hosters and Developers together with IIS7
I thought they did a great job of pointing out the differences between what a Dev guy wants and what hoster guy is going to give them :) Tito did a great job of giving the classic "BUT NARRR" then explaining why - but then again I am hoster biased...
-jorke
So I'm in vegas at MIX08 and have spent ages typing a post about some awesome new media delivery technologies that have been released when I noticed Chris Knowlton - Senior Product Manager and the King of Windows Media Streaming had already done it! - check it out here - http://blogs.iis.net/chriskno/archive/2008/03/06/exciting-media-announcements-at-mix08.aspx
I love that the bit rate throttling was demo'd in the keynote, and I love more I managed to show it off before MIX - last Tuesday at the Melbourne Heroes Launch!
-jorke
Launch of SQL 2008, Visual Studio 2008 and most importantly Windows Server 2008 !
I'm part of the launch event in the server track - presenting the session :
It's a click and go world { accelerate it! }
Where I spend my time looking at configuring Windows Server 2008 for web workloads.
This is a really awesome track that Michael Kleef has owned the design of, it shows the whole platform interacting, addressing major concerns that an IT pro has and how to integrate this into your environment. We have a kick-ass Hyper-V environment that runs on a HP server system with 16 cores - All our demos are run live of this platform.
In my session I really focus on the web workload and how you can take advantage of the number one reason people want Windows Server 2008 - IIS 7.0!
Follow the photos of the launch on Flickr and the twitter feed.
Here are the dates we're in town - I'll be there a day beforehand for setup, so if you to catch up, be sure to ping me.
Sydney: Thu 28 Feb
Melbourne : Tue 4 Mar
Las Vegas(MIX08): Wed 5 - Fri 7 - not part of the launch, but if you're there :)
Adelaide: Thu 13 Mar
Perth: Wed 19 Mar
Brisbane: Wed 26 Mar
Canberra: Wed 2 Apr
- jorke
and my brain is officially full - lots of awesome stuff to talk about. But straight back to work.
Now preparing for the Heroes Happen Launch - be sure to register @ http://www.heroeshappen2008.com.au/
here are the dates:
Sydney: Thu 28 Feb
Melbourne : Tue 4 Mar
Las Vegas(MIX08): Wed 5 - Fri 7
Adelaide: Thu 13 Mar
Perth: Wed 19 Mar
Brisbane: Wed 26 Mar
Canberra: Wed 2 Apr
its going to ROCK! Can't wait to see you all there
- jorke
the shear brain power of having 6000 geeks in one location with thousands of session on the coolest technology arround.. how to describe.. its amazing and my brain is now full! Had to take break last night so after a quick run around @ 'asking the experts' - Jeffa, Kleefy and myself went to the Seattle Supersonics vs Utah Jazz NBA.
The supersonics were smashed by the jazz, and looks like there will be a 1-1 basketball challenge on the upcoming Wave Launch between Jeffa and Kleefy :)
Meeting with some great people from all around the world, its great to hear that the problems we all have locally do reflect internationally.. its amazing that even Americans know our issues around our broadband infrastructure!
The food is pretty interesting too..
try and tell that isn't a deep fried rat.. was tasty though.
-jorke
Well I'm in Seattle for our internal tech conference, TechReady with heap of other aussie DPE folks; Jeffa, Kleefy, Barnesy, Coatesy(visiting before going to the Office Developers Conference), Rog, Nils and of course Frank is omnipresent :)
Really enjoying the weather (seriously) although compared to home is is officially brass monkeys..
Been a busy and exciting time already; Had a 2nd hand brush with fame; While dining at Ruth Chris, Kleefy shook hands with Steve Ballmer, while steve was walking out of the bathroom... I've been hanging with all the web platform evangelists from around the world at our pre-summits. Even had a chance to catch up with Wardy to check out some of the cool projects he's been up to.
So if you're in town, shoot me a line and we'll catch up.
- jorke
Technorati Tags:
Microsoft,
techready
Cam told me about this blog a little ago and I've been following it so see what they're up to. I quite like the slogan - memoirs of a goldfish - make sure you blog it before you forget it forever.. although according to wikipedia - the myth of a goldfish having a 3 second memory is false..
There is really great quality posts there that address problems that a bunch of IT professionals run into every day of the week.
Check out some of the posts by Mark Rhodes - cracking good stuff for SharePoint.
- jorke
HOORAAYY! I've had many people asking me when Windows Server 2008 was going to RTM. So here it is:
Windows Server 2008 has officially RTM'd!!!!!
Looking under MSDN/Technet subscriber downloads you can get it now:
Huge congratulations to the Windows Server team, a bit time to sit back relax and then starting working on the next version!
btw - if you have a Windows Server 2008 story, or you've deployed it and want to show off some cool stuff, let me know I have some schwage I need to giveaway!
I wonder if the lone server is going to happy about this....
- jorke
A brand new IIS blog and a shiny new tool in tech preview. Check out the tech preview of the Web Deployment Tool from the awesome IIS Team.
This new tool is designed with migration from IIS 6.0 to IIS 7.0.
Get it, try it, tell me what breaks, so far I've found it rock solid!
- jorke
The guys at Emantra pinged me today with a project we've been talking about for a while, and I'm stoked these guys have pulled this off!
Go to their site http://iis7forheroes.com/ and get yourself some of:
The first SHARED IIS7.0 web hosting in Australia! (that I know of!)
Sign up on their site for a free 1 month trial for shared web hosting on Windows Server 2008 with IIS 7.0
Well done to Cam, Russ and Ross for a job well done, where can I get a shirt like the guy in the picture? :)
- jorke